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1. INTRODUCTION 

The service models in cloud computing as stated by National Institute of Standards and Technology 
(NIST) includes software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service 
(IaaS) [1]. Storage as a service (STaaS) is an addition to these traditional service models [2] and is included 
in IaaS model of cloud [3], [4]. STaaS provides its subscribers the ability to access their data anywhere, 
anyplace and anytime on a wide range of Internet enabled devices as a result of its flexibility, affordability 
and portability [5]. These characteristics have positively impacted the cloud storage services popularity, 
usage and accelerated its adoption. Despite the benefits associated to the usage of cloud storage services, the 
security issues and the privacy of data in the cloud domain remain the major concerns to its subscribers, the 
forensics researchers and the practitioners [6]. The accessibility of cloud storage over the internet with the 
opportunity to store data online makes it susceptible to different malicious usages that include the utilization 
of the cloud storage to store and share illicit materials including child pornography and drug trafficking, 
sharing and distributing cyber terrorist materials [7]. When malicious activities involving cloud usages are 
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required, forensic examiners are required to conduct forensic investigations but there are various challenges 
involving the investigation of various malicious usages or criminal activities on cloud storages. These 
challenges have been identified as major challenges in the literature [8]-[10]. The difficulties include the 
inability to identify and recover digital evidence in a forensically sound manner on cloud storages [11], the 
dependence on the cloud service provider (CSP) to provide the relevant forensic logs which is difficult to 
obtain as a result of privacy and multi tenancy nature of cloud computing [12]. 

Despite the challenges associated with cloud forensics, when criminal acts or abuse of cloud storage 
takes place, it is necessary to carry out forensic investigation on cloud storages usages. Clients forensics 
investigation can be explored to obtain relevant forensic artifacts in respect of cloud storage usage. The 
investigation process in clients forensics include identifying, extracting, analyzing of forensic footprints 
(artifacts) from digital devices in relation to the malicious usages on cloud storage. Digital devices such as 
personal computer, tablets and smartphones are used to access cloud storage such as iDrive iCloud, Google 
Drive, OneDrive, relevant forensic footprints pertaining to the usages of the cloud storages are left on 
different locations on the devices which can be analyzed to detect the malicious usages [13]-[15]. Web 
browser is one of the locations that can be examined to investigate cybercrimes on digital devices because of 
its ability to provide wealth of information that pertains to the usage of web browser activities. Every step or 
action taken with the use of web browser that includes the web sites visited, the time of visit, the frequency of 
the access, files accessed, files downloaded and uploaded can be reconstructed to paint the clearer picture of 
the malicious usage [16]-[18]. 

This paper explores different artifacts created and retained on a Windows 10 digital device that can 
be extracted from the logs on Google Chrome and Internet Explorer web browsers when different activities 
including accessing, downloading and uploading of data sets on iDrive Cloud storage are carried out. iDrive 
cloud storage offers various forms of capabilities including online backup functionalities on wide range of 
digital devices which can be abused by the cybercriminals while Google Chrome and Internet Explorers were 
recorded as one of the highest used web browsers [19]. Forensic analysis of Web Browsers analysis on 
Windows 10 devices that have accessed iDrive cloud storage is very limited in literature and needs to be 
further investigated to provide forensic guidelines for cybercrimes investigation on other cloud storages. The 
results of the investigations in this study show that relevant forensic footprints of cloud storage usages can be 
obtained from the logs of web browsers. This study increases the knowledge of client forensics in relation to 
cloud storage usages and the significance of web browser analysis during digital investigations. 

Research in literatures illustrate how forensic artifacts can be obtained from the web browsers of 
digital devices. Forensic analysis in [20] discovered the residual artifacts from the private and portable web 
browsing sessions on artifact extractions from Google Chrome, Mozilla Firefox, Apple safari and Internet 
Explore. Each of the web browsers under the investigations was forensically analyzed with different forensic 
tools to extract the relevant artifacts to establish an affirmative link between the user and the session. An 
experimental setup was proposed with the use of different hardware, software with the use of forensic tools. 
The results of the investigation showed that most of the recovered artifacts were discovered in random access 
memory (RAM), slack or free space and in forensic directories [21]. Investigated the forensic footprints that 
were left behind after the use of portable Google Chrome browser on Windows 7 operating system. The 
forensic stages employed are detection of incidence, evidence preservation, data acquisition, data analysis 
and reporting. Their approach delved deeper into Portable web browser to provide more forensic artifacts. 
The paper also presented an efficient forensic solution by reconstructing portable web browsing history to 
establish an affirmative link between a user and his portable web browsing activities which can serve as 
evidence that can be admissible in the court of law [22]. Analyzed and collected forensic artifacts that were 
related to internet activities from Google Chrome web browser on Windows operating systems. The locations 
examined to retrieve forensic artifacts included the browsing history, cookies, login data, topsides, shortcuts, 
user profile, prefetch file and RAM dump. The research provided guides on how different forensic techniques 
can be applied to obtain more robust digital artifacts from the different forensic web browser locations. Part 
of the artifacts extracted included the last accessed date and time of Google Chrome, search items, visited 
URLs, and how deleted items can be recovered [23]. Provided solutions to the extraction of forensic data 
from the RAM on a running system using live forensic analysis method. The authors used three stages of 
investigation that comprises of pro analysis, analysis and post analysis to detect digital evidence from the 
Internet Explorer, Google Chrome, Mozilla Firefox and Browzar web browser [24]. Illustrated how to carry 
out forensics analysis of data structures that were used by popular web browsers such as Chrome, Opera, 
Mozilla Firefox, and Dolphin on Android and how to acquire forensic artifacts from the web browsers. 
AndroKit forensic tool was introduced to acquire and analyze forensic evidence. The authors concluded that 
AndroKit has the capability to provide advance forensic data acquisition and analysis features that included 
flashing stock recovery and custom query execution. Jadhav and Meshram [25] the authors proposed a 
framework to detect the suspicious users’ activities on the artifacts extracted from the web browser log files 
of Firefox, Google Chrome, Internet Explorer and Opera. Their implementation results showed the different 
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artifacts that were extracted during the analysis of cookies, analysis of downloaded history, analysis of 
browser history, analysis of website hosts data, analysis of searched keywords. The proposed framework 
component included the sources, evidence extraction and cleaning process, extracted evidence, evidence 
identification, arrange evidence in order, analyze all evidence, suspicious evidence and report generation. 
[26] provided the general review of web browsers attributes in different environments that included normal, 
private and portable mode of browsing, their limitations and the associated tools to perform forensic 
investigations. It was noted that the artifacts recovered in the private browsing sessions were less significant 
than in the public browsing sessions. 

Mahlous and Mahlous [27] the authors setup a set of experiments that comprised of a live memory 
analysis of RAM and a post-mortem analysis to examine the artifacts that are retrievable from Brave web 
browser on Windows 10 device. Brave’s privacy browsing mode was investigated to determine its privacy- 
preserving and forensic data acquisition. The artifacts’ locations and the type of evidence available through 
live and post-mortem state analysis were documented. The authors concluded that live memory analysis of 
RAM provided more relevant artifacts compared to a post-mortem analysis. In the papers reviewed relevant 
forensic artifacts were examined but the different analysis were not linked to other public cloud storages like 
iDrive. Furthermore, the step-by-step procedures with good guidelines to assist during forensic investigations 
were not properly presented. 


2. RESEARCH METHOD 

The activity workflow process that guided in detecting relevant forensic artifacts from the web 
browsers (Google Chrome and Internet Explorer) on Windows 10 device examined in this research is 
depicted in Figure 1. The process comprises of the experimental setup, forensic analysis setup, forensic 
analysis and results presentation. It detailed the tool and the procedures employed to extract various artifacts 
from the Google Chrome and Internet Explorer on Windows 10 client device that accessed iDrive cloud 
storage. 


Experimental Setup Forensic Analysis Setup Implementation Procedures Experimental Results 


Figure 1. Process workflow 


2.1. Experimental setup 

The experimental setup to detect the relevant artifacts with the traces of iDrive usage from the logs 
of Google Chrome and Internet Explorer on Windows10 digital device is discussed. The experimental setup 
for this research study consists of a virtual machine (host) that was setup on a DELL laptop with Windows 10 
64-bit Operating Systems with the following specifications: 32GB RAM, Intel Core ™ i-7-4810MQ, CPU @ 
2.8GHZ and 1TB hard drive. A total of 10 virtual machines (VMs) was built on the virtual host to carry out 
various activities that can be carried out on Windows 10 device while using the web browsers to access 
iDrive cloud storage. 

The 10 VMs represent the different physical systems to simulate series of life scenarios (common 
activities) of using any cloud storage. The experiments were carried out with datasets in different formats 
(Word Documents, portable document formats (pdf) and video clips) that are related to terrorism activities 
downloaded from different internet websites. Nirsoft freeware forensic tool (Web Browser History Viewer, 
IE PassView, OpenSaveFilesView and ChromeHistoryView) version 1.23.24 was used and installed on each 
VM to detect different artifacts on each virtual machine under investigation, Google Chrome version 
78.0.3904.108 was downloaded and manually installed. 


2.2. Forensic analysis setup 

To perform Windows 10 Web-based experiment in this study, ten virtual machines were setup 
(VM1-VM10). Each of the VMs (VM1-VM10) as shown in Figure 2 and Table 1 represents the different 
common activities that can be carried out on the cloud storage (access, upload, download and deletion) with 
any type of web browser. 
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Windows10 
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Figure 2. Activities on Windows 10 device with the use of Internet Explorer and Google Chrome web 


browsers 


Table 1. Windows web browser-Based VM activities on the cloud storages 


Windows10 Web Windows10 Web Windows10 Web Windows 10 Web Windows 10 Web 
Browser ACCESS Browser UPLOAD Browser UPLOAD Browser DOWNLOAD Browser DELETE VM 
VM VM VM VM 


VM1: using IE to 
examine the different 
web sites visited to 
identify the cloud 
storage accessed 


VME: using GC to 
examine the different 
web sites visited to 
identify the cloud 
storage visited 


VM2: using IE to 
determine the relevant 
artifacts related to the 
credentials that were 
used to access 
IDRIVE cloud storage 
on Windows 10 device 
VM/7: using GC to 
determine the relevant 
artifacts related to the 
credentials that were 
used to access 
IDRIVE cloud storage 
on Windows 10 device 


VM3: using IE to 
determine the relevant 
artifacts that are 
related to the upload 
operation on IDRIVE 
cloud storage on 
Windows 10 device 
VM8: using GC to 
determine the relevant 
artifacts that are 
related to the upload 
operation on IDRIVE 
cloud storage on 
Windows 10 device 


VM4: using IE to 
determine the relevant 
artifacts that are related 
to the download 
operation on IDRIVE 
cloud storage on 
Windows 10 device 
VM9: using GC to 
determine the relevant 
artifacts that are related 
to the download 
operation on IDRIVE 
cloud storage on 
Windows 10 device 


VMS: using IE to 
determine the relevant 
artifacts that are 
related to the delete 
operation on IDRIVE 
cloud storage on 
Windows 10 device 
VM10: using GC to 
determine the relevant 
artifacts that are 
related to the delete 
operation on IDRIVE 
cloud storage on 
Windows 10 device 


2.3. Implementation procedures 

The procedures employed to analysis Web browser forensic analysis to detect the traces of iDrive 
cloud storage on Windows 10 device involved the installation of Nirsoft forensic tool. Nirsoft freeware was 
installed on each of the VM (VM1-VM10). Nirsoft utilities (downloaded from Nirsoft.com) used during the 
foresic analysis include the WebBrowserHistoryViwer, IEPass Viewer and OpenSavedFiles Viewer. 

In this procedure, useful artifacts were retrieved using the Nirsoft forensic tools. These forensic 
artifacts provided useful information concerning the usage of the web browsers. The extracted artifacts 
related to iDrive cloud storage usages from the Web browser of Google Chrome and Internet Explorer from 
Windows 10 device include the different web sites visited and the credentials (the username and password) 
are discussed in Experiment. 


2.3.1. Experiment 1 

This experiment was performed on VM1 to examine the different websites that a user visited on the 
Windows 10 device with the Internet Explorer web browser. Web Browser History Viewer utility embedded 
in Nirsoft package was used to identify different websites visited with IE. The interface of the Web Browser 
History Viewer that showed result of the analysis on VM1 is showing in Figure 3. 


2.3.2. Experiment 2 

This experiment was performed on VM2 to examine the credential (username and the password) 
used to access the iDrive cloud storage when Internet Explorer web browser was used to access the iDrive. IE 
PassView utility embedded in Nirsoft package was used to reveal the credential(s) used to access the iDrive 
with Internet Explorer. The interface of the experiment performed on VM2 that revealed the username and 
password that accessed the iDrive are captured in Figure 4. 
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Figure 3. Interface showing different web sites visited including idrive.com on VM1 
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Figure 4. The extracted username and password that accessed iDrive in IE 


2.3.3. Experiment 3 

This experiment was performed on VM3 to examine the uploaded files from the Windows 10 PC to 
the iDrive cloud storage. OpenedFilesViewutility embedded in Nirsoft package was used to extract the 
uploaded files from VM3. The interface on the OpenSafeFilesView revealing the uploaded files is shown in 
Figure 5. 


File Modified Time File Created Time File Owner 


Figure 5. OpenFilesView forensic tool revealing the uploaded documents and the paths in IE 
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2.3.4. Experiment 4 

This experiment was performed on VM4 to examine the downloaded files from the iDrive cloud 
storage to the Windows 10 PC. OpenedFilesView Uutility was used to extract the downloaded files. The 
same interface with Figure 5 was observed, then the username and password obtained in experiment 3 was 
used to view the log on iDrive. The interface of the viewed log on iDrive revealing the downloaded files is 
captured in Figure 6. 


Upgrade Now - 90% OFF 


IDriv e xi Search file/folder | Search | 


Web Logs 


Start Date: | 12-01-2020 4) EndDate: | 12-19-2020 © 


View Report 


Cloud Backup 


Sync and Cloud Storage Events from 12-01-2020 to 12-18-2020 (Browser-based activities only 
Dashboard > 
Description When IP 
Web Logs 
Trash =A Downloaded money‘aindering-and-terrori...tax-examjnefs-an, Dec 18, 2020, 4:22 pm 12 
i mm 
IDrive Express =ġ Downloaded Neutron Bombs Used Indar of...ar of Yemen 2015.mp4 Dec 18, 2020, 3:46 pm 12 


Figure 6. Web logs on iDrive showing the download documents 


2.3.5. Experiment 5 

This experiment was performed on VMS to examine the retrieval of deleted files from the iDrive. 
None of the Nirsoft utilities used employed was able to retieve the deleted files but the web log interface of 
the idrive recorded the deleted activity when the username and password extracted in experiment 3 was used. 
The interface of the viewed log on iDrive revealing the deleted files is shown in Figure 7. 


Upgrade Now - 90% OFF 


iDrive ° ara aol 


Web Logs 
cloud Backup Start Date: | 12-01-2020 [| EndDate: | 12-19-2020 5J [eum 
J -i nec nee nee wan =- ener 
Sync and Cloud Storage 
En Deleted Nudear-Security-Fact-Sheet.pdf Dec 18, 2020, 3:24 pm 
Dashboard > 
Web Logs = Deleted Neutron Bombs Used In War of...ar of Yemen 2015.mp4 Dec 18, 2020, 3:24 pm 


Trash 
=3 Deleted Neutron Bombs Used In War of...ar of Yemen 2015.mp4 


e$ 18, 2020, 3:24 pm 


IDrive Express™ 


= Deleted Nuclear-Security-Fact-Sheet.pdf 
More 


5 Deleted money-laundering-and-terrori...tax-examiners-an. pdf all 18, 2020, 3:24 pm 


R Deleted money-laundering-and-terrori...tax-examiners-an.pdf Dec 18, 2020, 3:24 pm 
E] Deleted Neutron Bombs Used In War of...ar of Yemen 2015.mp4 Dec 18, 2020, 3:24 pm 
=} Deleted money-laundering-and-terrori...tax-examiners-an.pdf Dec 18, 2020, 3:24 pm 


Figure 7. Web logs on iDrive showing the deleted files 


2.3.6. Experiment 6 

This experiment was performed on VM6 to examine the different websites that a user visited on the 
Windows 10 device with the Google Chrome web browser. ChromeHistoryView utility embedded in Nirsoft 
package was used to identify different websites visited. The interface of the experiment performed on VM6 
showing the different websites visited with the use of Chrome History View forensic tool is presented in Figure 8. 
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Figure 8. Interface showing different web sites visited on VM6 with Browser History Viewer in GC 


2.3.7. Experiment 7 

This experiment was performed on VM7 to examine the credential (username and the password) 
used to access the iDrive cloud storage when Google Chrome web browser was used. Chrome Pass utility in 
Nirsoft package was used to reveal the credential used to access the IDRIVE with Google Chrome. The 
interfaces of the experiment performed on VM7 revealing the username and password that accessed the 
IDRIVE is captured in Figure 9. 
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Figure 9. Extracting username and password that accessed iDrive using Chrome Pass in GC 


2.3.8. Experiment 8 

This experiment was performed on VM8 to examine the uploaded files from the Windows 10 PC to 
the iDrive cloud storage with Google Chrome web browser. OpenedFiles Viewutility in Nirsoft package was 
used to extract the uploaded documents. The interface of the experiment performed on VM8 revealing the 
uploaded documents is presented in Figure 10. 
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Figure 10. Open files view revealing the uploaded documents and the paths in GC 
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2.3.9. Experiment 9 
This experiment was performed on VM9 to examine the downloaded files from the iDrive cloud 
storage to the Windows 10 PC when Google Chrome was used. BrowserDownloadView utility embedded in 


Nirsoft package was used to extract the downloaded documents. The interface of the experiment performed 
on VM9 revealing the downloaded documents is presented Figure 11. 
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Figure 11. The extracted downloaded files with browser download view 


2.3.10. Experiment 10 

This experiment was performed on VM10 to examine the retrieval of deleted files from the iDrive 
when Google Chrome was used to access the iDrive cloud storage. None of the Nirsoft utilities used was able 
to retrieve the deleted files. The extracted account name and password retrieved in Experiment 6 was used to 
access iDrive cloud storage. The uploaded documents in experiment 8 were deleted with the utility on the 
iDrive environment. The web log was viewed to see if the deletion operation was recorded as shown in 
Figure 12 The interface of the experiment performed on VM10 revealing the deleted documents is shown in 
Figure 12. 


Upgrade Now - 90% OFF 


2 x 

iDrive Search 
Web Logs 
Cloud Backup Start Date: 12-01-2020 tnd Date 12-19-2020 um) View Report 
an 

Sync and Cloud Storage 

d ES Deleted Nuclear Scastty-fact-Sheet.pdf Dec 18, 2020, 3:24 pm 
Dashboar 
Web Logs eg) Deleted Neutron Bombs Used In War of...ar of Yemen 2015.mp4 


Trash 
"ss Deleted Neutron Boris Used In War of 2 of Yemen 2015.mp4 
IDrive E 


mg Deleted Nudeur-Security-Fact-Shreet pd! 


More 


ey Deleted money laundenng and teron...tax examiners an. pet 


eg) Deleted money sundenng-and-terron...tax-examiners.an. pdf 


sgh Deleted Neutron Bombs Used In War of...ar of Yemen 2015.mp4 Doc 18, 2020, 3:24 pm 


Dec 18, 2020, 3:24 pm 


z Deleted money-bsundenng-and-terori.. tm-eaminers-an-pdf 


Figure 12. Web Logs interface showing the deleted items from the iDrive trash 


3. EXPERIMENTAL RESULTS AND DISCUSSION 

The results of the forensic analysis in this research shows that relevant residual artifacts related to 
the different operation carried out on iDrive cloud storage are retrievable from Google Chrome and Internet 
Explorer web browsers. Experimental guidelines were presented that captured relevant screenshots of 
retrievable artifacts from iDrive platform using the Nirsoft freeware forensic tool. The study analyzed the 
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storage (Web sites visit, Login, Upload, Download, Deletion operations). The experiments showed that the 
different web sites visited, the credentials that were used to access the web site (cloud storage) and different 
files operations can be forensically extracted with the use of appropriate forensic tools to reconstruct any 
form of cybercrimes to determine the when, what, why, when, who and the how of digital forensic 
investigations that can provide valid evidence related to the abuse or malicious usages of cloud storage. 


4. CONCLUSION 

In this research study, the relevant residual forensic artifacts from Windows 10 device that are 
retrievable from Google Chrome and Internet Explorer web browsers were presented using iDrive cloud 
storage a case study. Experimental guidelines were provided that captured relevant screenshots of retrievable 
artifacts from iDrive platform using the Nirsoft freeware forensic tool. The study analyzed different iDrive 
artifacts on Windows 10 devices when the device was used to access iDrive cloud storage considering the 
basic operations that cloud users undertake on cloud storage (including the Web sites visit, Login, Upload, 
Download, Deletion operations). The experiments showed that the web sites visited, the credentials that were 
used to access the web site (cloud storage) and different files operations can be forensically extracted to 
reconstruct any form of cybercrimes to determine the usages of the cloud storage. The research findings 
showed that a single forensic tool may not be sufficient to extract all the required artifacts to fully reconstruct 
cybercrimes, more than one tools may be necessary to provide all the necessary details to proof the 
cybercrime activities. Extending the presented approach in this work to other web browsers like Safari on 
iPhone, SamSung Internet on SamSung devices and other popular web browsers on other digital devices 
running on any operating systems like Android, iOS, Ubuntu and MAC OS will be of great interest to further 
research on clients forensics with respect to the cloud storage usages. Considering the legal and privacy 
issues of conducting digital forensics analysis on personally own devices and cloud storage would be of great 
importance in conducting forensic analysis on real life cases. 
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